Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a client authentication JWT
Brian Campbell <bcampbell@pingidentity.com> Tue, 11 August 2020 20:35 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B422D3A0CF9 for <oauth@ietfa.amsl.com>; Tue, 11 Aug 2020 13:35:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OxvRFr3rP9WJ for <oauth@ietfa.amsl.com>; Tue, 11 Aug 2020 13:35:51 -0700 (PDT)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2751D3A0E19 for <oauth@ietf.org>; Tue, 11 Aug 2020 13:35:49 -0700 (PDT)
Received: by mail-lj1-x22c.google.com with SMTP id v9so15032420ljk.6 for <oauth@ietf.org>; Tue, 11 Aug 2020 13:35:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BoZfZFuXocwUrWtpqLasVJ7IeTdTPSTLz0azAbkvPuc=; b=YzJEgRpwaPB13GEgmBDEXVEuh/43sqRLbLFof7wh2+NqVYrhiL57TP3HL0Y+yZTsnR ejNMpHwAxdJ5T9wqhfYuY0JbpqV93z/TZ375RlR6Vv9iDX3O26EJJqKOjb6cLnjHfUlj O1WINyLvmxY2IsM8HPSjBOUCuj5DyfWn3ay6WTfQ1+UTvnVqZVyZ+BtVkfUdz3bt+xq4 Q0plLLU+ktxJXIaiZVxfzK2iLG//WQslyXIpAy9XLEAJbDCDh+ibLsNngfu0KC4PFbZd vKx8A7KmSrfxwpCwa4XxAOC7f5s5uWLR5xAb0kpws5KebBN6plpHvxW9AS9AnuAqxeiO ZOcg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BoZfZFuXocwUrWtpqLasVJ7IeTdTPSTLz0azAbkvPuc=; b=mETEpcSMBsMcq0tjHLKRG4Xayv5cBlvvN2GKi0fAGwfD8TPS5atXm4qtGZO354JQtn u2Id9PX9aL3CrjqFl9/ta5R2N0BwDnVr46hc+NzaplhW83ha0fyvmJahPxmNtlNQ/tpw XIPePzqai+Z0jP/6zho/g4lZM+T/d7g24850O5NE0DUKvDAkdBbEZ55Gt+CHXFiJ1k3n U08hY7iDzSid6GcvQz6HaeyPWwAJOPN8w2T2Xokomaih0uZXQ1RVra4nsNjapvXzPDZ9 9xung+I/zH/jjLBICRl6jyTcTZE8y3Xd4dfeMjhNYU84EgdUsv1gpagKklgnXCRCyO7x OxKg==
X-Gm-Message-State: AOAM531KR1WNVw4FkcGJIMQWmzpu4ISMsPZFlRbdj8iP8ERHvB9IxKU+ dVJkN5UC5iXLVOKElBfJtYR1RhsaneNFF/jPtUPusk7OE3jQlg2SrH25GZT6sXAAfOc1wwvA8py zqSW7gaFCmCM35vlSwiI=
X-Google-Smtp-Source: ABdhPJyPMDp+ebqLaSkriY8RHF7lhao8vyL3FAZTdb3cwbhiIF/vNH92fh7MOiZ2b6CEjVAnTm3FszNdUlULwh4SIHI=
X-Received: by 2002:a05:651c:d0:: with SMTP id 16mr3870651ljr.313.1597178147256; Tue, 11 Aug 2020 13:35:47 -0700 (PDT)
MIME-Version: 1.0
References: <CA+k3eCRa9gMimtJ3917GaJPdTQGdCBskLEim0kVeh-qeB8EszQ@mail.gmail.com> <CAO7Ng+u16x7G0JTZg=oZnOWj6n3H39w_jk2fKXh2jc70n71KLw@mail.gmail.com> <CA+k3eCSQTkp1gBnuXJv-1i_-9gLkVBGzeSx_XYyhnnF_=bg68g@mail.gmail.com> <CAO7Ng+vgaPsAo7aQ7uXbcf-M9p2uqQDaxtxoJe1_Av=khbdULg@mail.gmail.com> <CAO7Ng+vUAHtCwnPOh6LMjk4hdmt0T0nhW7b8SywdBttTNatNCA@mail.gmail.com> <CA+k3eCS8umKx=od2dHd47yfb51D4MQrEGpgNPH_iqXR9O7sioQ@mail.gmail.com>
In-Reply-To: <CA+k3eCS8umKx=od2dHd47yfb51D4MQrEGpgNPH_iqXR9O7sioQ@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 11 Aug 2020 14:35:20 -0600
Message-ID: <CA+k3eCTsgV9dnR8Wqe6+n1OO278JvGA4OXd5UF-Cn4AzjJf2xw@mail.gmail.com>
To: Dominick Baier <dbaier@leastprivilege.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001c5a5705aca00463"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Lqu15MJikyZrXZo5qsTPK2o0eaE>
Subject: Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a client authentication JWT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2020 20:35:54 -0000
I also suspect the Jwsreq authors won't respond to this and the request/suggestion will be ignored. Which is discouraging. I realize it's late in the process for this document but it's been in IESG Evaluation since early 2017. And the recent ballot comments https://mailarchive.ietf.org/arch/msg/oauth/FMljWETMEkGTI4pUluqIqtAJ_9A/ suggests changes to the draft should still be forthcoming. So also adding a brief statement to the security considerations doesn't seem inconceivable. On Thu, Jul 23, 2020 at 2:29 PM Brian Campbell <bcampbell@pingidentity.com> wrote: > In hindsight, yeah, having explicit JWT typing everywhere would be nice.. > But retrofitting would be a very major undertaking, which I don't think > could reasonably be justified considering cost–benefit. > > I can't speak directly for the Jwsreq authors but I suspect considerations > around backward/forward compatibility with OIDC's JWT request and even > existing implementations of the Jwsreq draft that has been in draft forever > came into play. > > On Wed, Jul 22, 2020 at 11:38 PM Dominick Baier <dbaier@leastprivilege.com> > wrote: > >> Even more. Jwsreq should have it. But the authors decided against it. >> >> ——— >> Dominick Baier >> >> On 23. July 2020 at 07:38:04, Dominick Baier (dbaier@leastprivilege.com) >> wrote: >> >> Good point. Thanks, Brian. >> >> We should retrofit typs everywhere..in hindsight. >> >> ——— >> Dominick Baier >> >> On 22. July 2020 at 23:55:20, Brian Campbell (bcampbell@pingidentity.com) >> wrote: >> >> Because it wouldn't actually prevent it in this case due to JWT assertion >> client authentication (a.k.a. private_key_jwt) having come about well >> before the JWT BCP and the established concept of using the 'typ' header to >> prevent cross-JWT confusion. Thus there's no validation rule regarding the >> 'typ' header defined in RFC 7523 for JWT client authentication. Explicitly >> typing the request object JWT doesn't do anything to prevent it from being >> used in the context of previously existing JWT applications like client >> auth. >> >> On Wed, Jul 22, 2020 at 10:32 AM Dominick Baier < >> dbaier@leastprivilege.com> wrote: >> >>> Why not use a typ header as suggested by the JWT BCP? >>> >>> ——— >>> Dominick Baier >>> >>> On 22. July 2020 at 17:37:41, Brian Campbell ( >>> bcampbell=40pingidentity.com@dmarc.ietf.org) wrote: >>> >>> The TL;DR here is a somewhat tentative suggestion that a brief security >>> consideration be added to >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/ >>> <https://datatracker..ietf.org/doc/draft-ietf-oauth-jwsreq/> that >>> prohibits the inclusion of a 'sub' claim containing the client id value in >>> the request object JWT so as to prevent the request object JWT (which is >>> exposed to the user agent) from being erroneously accepted as a valid JWT >>> for client authentication. >>> >>> Some more details and the discussion that led to this here email can be >>> found at https://github.com/oauthstuff/draft-oauth-par/issues/41 >>> >>> *CONFIDENTIALITY NOTICE: This email may contain confidential and >>> privileged material for the sole use of the intended recipient(s). Any >>> review, use, distribution or disclosure by others is strictly >>> prohibited... If you have received this communication in error, please >>> notify the sender immediately by e-mail and delete the message and any file >>> attachments from your computer. Thank you.*_______________________________________________ >>> >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >> *CONFIDENTIALITY NOTICE: This email may contain confidential and >> privileged material for the sole use of the intended recipient(s). Any >> review, use, distribution or disclosure by others is strictly prohibited. >> If you have received this communication in error, please notify the sender >> immediately by e-mail and delete the message and any file attachments from >> your computer. Thank you.* >> >> -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] swapping a jwsreq/JAR JWT for a client… Brian Campbell
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Dominick Baier
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Brian Campbell
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Dominick Baier
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Dominick Baier
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Brian Campbell
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Mike Jones
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Brian Campbell
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Benjamin Kaduk